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(57) ABSTRACT 

In encryption techniques using an elliptic curve, in order to 
use a homogeneous coordinate system [X, Y, Z], a high 
speed [Xj, Y lf Z 19 (ZJ 2 , (ZJ 3 ] for the addition and a high 
speed [X J( Y lt ZJ for the doubling the following schemes 
are provided: (1) Addition is executed by [X 3 , Y 3 , 2^]=^, 
Y„ Z„ (ZJ 2 , (ZJ 3 ]+[X 2 , Y 2 , ZJ. (2) Doubling is executed 
by a conventional [X 3 , Y 3 , Zj=2[Xj, Y 3 , ZJ and an 
addition operation is executed by [X 3 , Y 3 , ZJ-[Xj, Y 3 , Z lf 
(ZJ 2 , (Z J 3 ]+[X 2 , Y 2 , ZJ. It is also required to speed up the 
multiplication modulo operation. The Montgomery multi- 
plication modulo operation is speeded up by using the 
following forms of the definition order (prime): (3) the 
multiplication modulo operation is executed at high speed 
by using a prime having a form of p=Ab"+B where 0<A<2 W , 
0<B<2 VV , b»2 H ,; and w, A, b, n and B are positive integers. 

15 Claims, 4 Drawing Sheets 
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ELLIPTIC CURVE ENCRYPTION METHOD An elliptic curve is represented by a standard formula 

AND SYSTEM y 2 =x 3 +ax+b (4a+27b*0) of an elliptic curve in a finite field 

having a characteristic of 5 or higher. If a point of infinity is 
added to this curve, the Abelian group is established. The 

BACKGROUND OF THE INVENTION 5 Abdian opcration ^ reprcscntcd by a symbol <V\ 

1. Field of the Invention A typical elliptic curve used for encryption is represented 
The present invention relates to techniques of retaining by the following standard forms of Weierstrass. 

security of a computer network, and more particularly to 0: Unit clement (a point of infinity on a two-dimensional 

encryption techniques using an elliptic curve. projective plane of an elliptic curve). 

2. Description of the Related Art 30 0+0=0 

Elliptic curve encryption is public key cryptography inde- 2) (x, y)+0«(x, y) 

pendently invented by V. Miller and N. Koblitz. 3) ( Xj y)+(x, -y)=0 

The public key cryptosystem has been developed in order 4) Commutativity (x lf y a )+(x 2 , y 2 )-(x 2 , yJ-Kxj, y a ) 

to eliminate disadvantages of a common key cryptosystem, 15 5) AddUion ( >( J+( y j x jtf x 

the disadvantages being the security which may possibly be ^ x _ x x . >«(y 2 -y 1 )/(x 2 -x 1 ) 

lowered at the stage when a private key which is kept secret , x * J ! * ? / \ ) . ^, v . 2 

r ... . ■ u j u . . u 6) Doubling (x 3 , y 3 )=( x n v i) + ( x i» yi) sa 2(x 1> y 3 ) x 3 *X - 

from third parties is shared by two partners exchanging 7 • =>Cx )- • W3*x =aVC2* \ 

enciphered information. In this public key cryptosystem, a . *V X 3 " *^ Xl ^ Xj =a ' „.^r 

. c . t . ur 1 • 1 ■ . 1 An elliptic curve cryptograph uses an elliptic curve in a 

pair of a private and a public key is used. Ine pnvate key ?n _ . _ * , . r • . / c C1 . 

r (■ 1 ■ 1 . r , . ' , . j ■ , ^ u fimte field and a set of points constituting the finite filed, 

secret from third parties belongs to a particular individual, . , c , r* r ■ j c • . 

... , , • . ,7, . ',l *• ♦ ■ As the finite field, a set Fp of remainders 01 integers 

and the public key is obtained through arithmetic operation , . c ' . y . . 6 

- 4 . • . 1 j j 1.1 • 7 j .• congruent modulo 01 a prime p is used, 

of the pnvate key and made public to third parties. to r r 



F p -{0, l,...,p-l} 



One feature of this public key cryptosystem resides in that jp , r ^ • ^ ■ . . r. r . 

_ ■ k ^„j 1 , tU ~ „,.kt„ i„„ „* ■» «^^ rt r. The order of a finite field is the number of elements ot the 

a text enciphered by the public key 01 a particular person 25 _ . _ , , _ , c ... . . . , r 

cannol be deciphered unless the private key (paired with the filute field - ^f, 0 " 1 " of ™ 6lh P ,IC curve 15 the number of 

public key) of the person is used. This feature can be utilized points on an elhptic curve. 

when a text is transmitted to a partner while the text is kept ™! h of *' u ™ ° ddlt ' on of P <P + • ■ f> ,s called * n 

secret from third parties. For example, when Mr. Atransmits s " mu "P e P omt °/ D P r and an °P™tion of obta.mng the 

a text to Mr. B, the text enciphered by using the public key 30 ^""Plc Point of P is represented by sP. 

of Mr. B is transmitted. The enciphered text can be dcci- V? ord " n °\ a P° int P ° n an e ' h P tlc cun,e ,s n which 

phcred only with the private key of Mr. B paired with the sat * fies nP = 0 ' } 1 < = m<n - and "P" 0 ' . . ....... 

i,. , „ u.\». n „„ „ ,u\. i Keys of the elliptic curve cryptograph include the follow- 

public key so that only Mr. B can recover the original plain . ;„ . r , . .... . . . , 

j ex( ' ' ing elliptic curve, base pomt, public key, and pnvate key. 

' . . . ... .. . . , c ... Coefficients of an elliptic curve are a and b. 

A text enciphered with the pnvate key of a particular 35 Base m ,. , im a rime ^ lhe order 

person can be verified, by using the public key paired with k field element d. 

the pnvate key of the person as to whether or not the ex. ^ a q{ private . key . multi p lication of tne 

was enciphered by the secret key. This feature can be applied q ^ J fO^dP) 

to digital signature. The digital signature is data obtained A " lt . . i • . i ur 1 ur 

, . T . ■ f .-jj An elliptic curve, base pomt, and public key are public 

through anthmetic operation of a text to be signed and 40 inforn , atio F n . ^ blic ke ^ andprivate key are different for 

through encipher w.lh the pnva e key ot the signer, for each 

user, whereas the elliptic curve and base point are 

example, verification of the digital signature or Mr. A can be , 

. r . b ,j common to each user, 

made depending upon whether or not the data obtained . , j . j ■ u j- i ■ 

tl _ . . ■ . Ct . « . « « » t . 4 . ... . Data encipher, data decipher, digital signature generation, 

through decipher of the digital signature with the public key . . . *. * *c 1 eTu ir 

» r 4 . r . . 7 ■ • j ,1 I and digital signature verification respectively of the elliptic 

of Mr. A is coincident with the data obtained through 45 ? n *■ r u% • ; n 

. , . „ 1 1 _j i_ i_ curve encryption uses a sR operation 01 an arbitrary pomt R. 

anthmetic operation of a text to be signed and through ™ . \\ , , . . . . t . r e t , 

. f . . . , , . b . ..• 6 ., This operation can be executed by a combination ot the 

encipher with the pnvate key ot the signer. II coincident, it . r . . ... . j j ur T u u 

' .„ , , ' . \ . b . above-described addition and doubling. The above- 
can be venfied that the digital signature is a correct signature j ... ..... tl .. A A Ul- U ~ 

,. A .. . ■ l u j* 1 • . described addition arithmetic and doubling each require to 

made by Mr. A and that the text with the digital signature c T i i *- 

3 j t,. c »_ f u perform a division once. However, lt takes a very long time 

was not illegally altered. This feature can therefore be 50 f <? a- - • c ■< c u * .u a c -a- 

r • 1 c 1 a to perform a division in a finite field. A method of avoiding 

applied to identification of a particular person and preven- j----.uc-.cuuu a a 

r -ii ii..- . 1 u . 1 » , a division in the fimte field has been desired, 

ion of illegal alteration on a network such as the Internet ^ ^ ^ of D y chudnc)Vsk q v . 

Verification of a correct signature can be applied to prevent Chudnovsk * Sequences of Numbers Generated by Addi- 

a hostde pretender from purchasing some goods Venfica- ^ ^ ^ ^ anrf New aQd New primal and 

tion of no alteration of a text can be applied to prevent 55 Factorization Tests » Advances in Applied Mathematics, 7, 

alteration of a pnee entered in a contract note or a receipt. ^ formulas Qf the addition and afe 

From the viewpoint of security, requirements for the derived in a jeclivc s formulas ^ bc 

public key cryptosystem arc that it is practically impossible described in thc foUowing . 
to find a private key from a paired public key made public 

to third parties. Other requirements for the public key 60 Chudnovsky Formulas 1 

cryptosystem which fundamentally takes a longer encipher Addition: 
and decipher time than a private key cryptosystem are a 

shorter encipher and decipher time. As the techniques of the Y *> z sH*i» Y u Z M X 2> Y 2> zj 

public key cryptosystem satisfying these to contradictory x^-iUy+U-^+R 2 

requirements of security and speed, an elliptic curve encryp- 65 2 

tion has been paid much attention, which is better than 2Y 3 -R{-2R +3/^(£/ l+ t/ 2 ))-p J (s 1+ s 2 ) 

conventional RSA and ElGamal cryptosystems. z^z^z^ 
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U^X^f; U 2 =X 2 {Ztf; S^Y x (Z 2 f 
S 2 ~Y 2 {Z x f 
P~U 2 -Uj R^ 2 -S l 
Doubling: 

[x*y» z^x u Y u z x ] 

X-T 

Y=-8((Y t ) 2 ) 2 +M(S-T) 
Z~2Y X Z X 

5-4A' l (y 1 ) 2 / M-liXtf+aaZ^Y; T—2S+M 2 
M-3<X x -{Z t ) 2 {X x +{Z x ) 2 if a=-3 
Af»3(Y t ) 2 if a=0 

The X a , Y 19 and Z 1 are finite field elements whose data 
can be expressed by a multiple-precision integer (larger than 
2 160 ) 

Multiple-precision multiplication modulo arithmetic gen- 
erally takes a longer time than multiple-precision addition 
subtraction. Therefore, a calculation time can be evaluated 
from the multiplication modulo arithmetic. The above-cited 
document describes that the addition arithmetic requires to 
perform a multiplication modulo operation 16 times and the 
doubling requires to perform it 10 times. It also describes 
that if the coefficient a of an elliptic curve is a=-3, it is 
required to perform the multiplication modulo operation 8 
times, and if a=0, it is required to perform it 8 times. 

The document further describes a method using an 
expression of [X a , Y lt Z lt (ZJ 2 , (Z x ) 3 ] which is described 
in the following. 

Chudnovsky Formulas 2 
Addition arithmetic: 

[x X) y u z u {z t f, WH^, y u z u {z x f, (z x ) 3 nx 2 , Y* z* 
{Zi?> (Z2) 3 ] 

Doubling: 

[x 3 , Yi, z 3 , (Z 3 ) 2 , {Z 3 fh%x u Y lt z x> (z J 2 , (z x f] 

The document describes that the addition arithmetic 
requires to perform the multiplication modulo operation 14 
times and the doubling requires to perform it 11 times. 

The addition arithmetic can be performed at high speed by 
<Chudnovsky Formulas 2>, whereas the doubling can be 
performed at high speed by <Chudnovsky Formulas 1>. 

As an example of the multiple-precision multiplication 
modulo arithmetic, Montgomery modulo arithmetic is 
known which is described in the document of A. Menezes, 
P. Oorschot, S. Vanstone, "Handbook of Applied 
Cryptography", CRC Press, p. 600 (1996), Section 143 
Multiple -precision modular arithmetic. 

The Montgomery modulo arithmetic described in this 
document will be described. 
Input: 

P-(P»-i. • • • . P 2 - Pi); S cd (P> W-l; R-b M ; 
p'—l/p mod b; TKt^.j, . . . , t lf to)<pR; 
b=2~ 

p is a modulo by which an integer is divided to obtain a 
remainder. 0<=p t <b. 0<-t,-<b. w is a positive integer. T 
is a multiplication result of integers x and y which is 
smaller than p. 
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An output is assumed to be T/R (mod p). 
Step 1: A— T 

Step 2: The following Steps 2.1 and 2.2 are executed from 
i«0 to i=(ri-l). 

Step 2.1: u^-i-p 1 mod b 

Step 2.2: A^A+u^b' 

Step 3: A*-A/b" 

Step 4: If A>=p, then A«-A-p 
10 Step 5: A is an output. 

An elliptic curve used for the elliptic curve encryption is 
expressed by an elliptic curve y 2 «x 2 +ax+b which uses as the 
definition field a prime field Fp having a prime p as its order. 
In order to form a perfect elliptic curve, it is necessary to set 
15 the parameters a and b which have prime factors r having a 
large order #E(Fp) of an elliptic curve, where 

#E(Fp)=kr, k is a small integer, and r is a large prime. 

A method of setting parameters of an elliptic curve having 
2Q primes with a large order is described in the document of 
Henri Cohen, "A Course in Computational Algebraic Num- 
ber Theory", GTM138, Springer (1993), p.464, Atkin'sTest. 

As a primality test used when the prime p is generated, a 
Miller-Rabin primality test is widely used which is 
25 described in the document of A. Menezes, P. Oorschot, S. 
Vanstone, "Handbook of Applied Cryptography", CRC 
Press, p. 139 (1996), Section 4.1.3. 

Elliptic curve cryptograph using specific primes are 
described in U.S. Pat. No. 5,271,061 and U.S. Pat. No. 
3Q 5,463,690. These patents disclose techniques of using the 
prime p in the form of "p=2*-a; e is a positive integer; and 
a<232 or a=l" in the elliptic curve encryption having as its 
definition field a finite field Fq with q=p*, i.e., a finite field 
of characteristic p. An operation of obtaining an s-multiple 
35 point of a point P is similar to an exponentiation modulo 
operation of an integer of a raised to a power of e. As a high 
speed exponent operation, a sliding-window method is 
known which is described in the document of A. Menezes, 
P. Oorschot, S. Vanstone, "Handbook of Applied 
40 Cryptography", CRC Press, p. 616 (1996), Section 14.6.1 
(ii), "Sliding-window exponentiation". 

Both <Chudnovsky Formulas 1> and <Chudnovsky For- 
mulas 2> are not satisfactory for high speed operations. The 
inventors consider that an operation method is desired which 
45 provides an efficiency of <Chudnovsky Formulas 2> for the 
addition and an efficiency of <Chudnovsky Formulas 1> for 
the doubling. 

In order to further speed up a calculation time, it is 
necessary to speed up the multiplication modulo operation 
5Q used in <Chudnovsky Formulas 1> and <Chudnovsky For- 
mulas 2>. 

SUMMARY OF THE INVENTION 

In order to solve the above-described problems, the fol- 
55 lowing means are provided in order to use a high speed [X 2 , 
Y 19 Z lf (Z a ) 2 , (Z A ) 3 ] for the addition and a high speed [X 1( 
Yj, Z-,] for the doubling. 

(1) Addition: execute [X 3 , Y 3 , Z 3 ]=[X X , Y v Z x , (ZJ 2 , 
(Zi) 3 MX 2 , Y 2 , ZJ. 
60 (2) A doubling point calculation is executed by a conven- 
tional [X 3 , Y 3 , Z 3 ]=2[X 1 , Y 2 , ZJ and an addition 
operation is executed by [X 3 , Y 3 , Z 3 ]-[X 3 , Y 1P Z 3 , 
<Z 1 ) l .(Z 1 J 3 MX a ,Y 2 ,ZJ. 
It is also required to speed up the multiplication modulo 
65 operation. The Montgomery multiplication modulo opera- 
tion is speeded up by using the following forms of the 
definition order (prime). 
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(3) The multiplication modulo operation is executed at uses as the definition field a prime field Fp having the prime 

high speed by using a prime having a form of p-Ab w +B p generated by the prime generating unit 105 as its order. In 

(0<A<2 W ; 0<B<2 W ; b«2**'; and w, A, b, n and B are order to form a perfect elliptic curve, it is necessary to set the 

positive integers). parameters a and b which have prime factors r having a large 

5 order #E(Fp) of the elliptic curve, where 

BRIEF DESCRIPTION OF THE DRAWINGS ur , r v , , . „ . , A • , 

#E(Fp)=*kr, k is a small integer, and r is a large prime. 

FIG. 1 is a block diagram illustrating an elliptic curve By using the method described in the document of Henri 

encryption method according to a first embodiment of the Cohen, "A Course in Computational Algebraic Number 

invention. Theory", GTM138, Springer (1993), p.464, Atkin's Test, an 

FIG. 2 is a flow chart illustrating an elliptic curve opera- 10 elliptic curve is generated which has large prime factors r as 

tion of the elliptic curve encryption method of the first the order. The invention may be practiced by using another 

embodiment. elliptic curve parameter setting method capable of setting an 

FIG. 3 is a flow chart illustrating a prime generation e ||jP l ! c curve havin S ,ar S e P rime fac,ors r ■» lhe order of lhe 

operation capable of performing an elliptic curve encryption elliptic curve. 

method at high speed according to a second embodiment of 15 A base point generating unit 107 obta.ns a generator of a 

the invention cyclic group having the prime factor r as the order in an 

A . ' Q , ^ ... t . Abelian group on the elliptic curve. If #E(Fp)«kr, the 

FIG. 4 is a flow chart illustrating a prime generation r n • * ♦ a 

r r • ii- «■ following sequence is executed, 

operation capable of performing an elliptic curve encryption ? . x _ /r , . . ... 

method at high speed according to a third embodiment of the 20 1: ^ arbitrary point (x J( yj on E(Fp) is obtained, 

invention. 2: If r(x a , y 5 )=0 and k(x a , y 2 )^0, the base point is G=(x 1( 

FIG. 5 is a diagram showing a bit train of primes used by yi)- If not > the sequence returns to step 1. 

the second embodiment. An operation r(x Jt y,) is a scalar multiplication 

FIG, 6 is a diagram showing a bit train of primes used by (r-muWplicatfon) operation of (x yj, which will be later 

Lhe third embodiment. 25 described with an elliptic curve . calculating unit 109. 

As described above, in the elliptic curve generating unit 

DETAILED DESCRIPTION OF THE 101, the definition field order p, the parameters a and b of the 

EMBODIMENTS elliptic curve y 2 =x 3 +ax+b, base point G, and base point 

„ .„ „ , „. . order r are generated which are information to be made 

HG, 1 illustrates a first embodiment. An elliptic curve rmhiic 

encryption system of this invention illustrated in FIG. 1 30 ^ & generating unit 102 generates the 

executes enciphering and deciphering operations. public kcy and key by ^ foUowing 

An elliptic curve generating unit 101 generates an elliptic input: 

curve to be used for elliptic curve encryption. A public/ Definition field order p, parameters a and b of the elliptic 

private key generating unit 102 generates a public key 116 curve y 2 =x 3 +ax+b) and base point G 

and a private key 117 in accordance with an input elliptic 35 Output: 

curve generated by the elliptic curve generating unit 101. p^j^ key q and private key d 

The public key 116 is distributed over a network (not shown) . A , , „ , . . t . 

i i . 1: A random number 2<d<p-l is generated, 

or the like similar to a conventional pubbc key cryptosys- r ° 

tem 2: Q«dG, a d-multiple of G is obtained, which will be later 

A . u . ■* 1 m * i • . * in j 40 described with the elliptic curve calculating unit 109. 

An enciphering unit 103 receives a plain text 113 and a _ t .. . . . „ 1 , , , J?. , . 

ui-i 11/ j . 4 u j * . ii>i The public key is information to be made public, and the 

public key 116 and outputs an enciphered text 114. The • . , • • / * u i * • ; a ui e 

• . . *iniurj i ♦ • pnvate key is information to be kept in secret. A problem of 

enciphering unit 103 may be formed on an electronic *V 4 . . \ c ^ j ^ * ; N j j- . i -.u 

. .u *u . <c .u i . . obtaining d from Q and G is called a discrete logarithm 

apparatus other than a computer if the electronic apparatus L1 & A t r , . t * Jr .u 

.„! nn t - Tl - t „_„£.i„ n e tu*> problem. A calculation amount of calculating d from the 

has an arithmetic unit capable of operating the enciphering „. . . . iL , r t i_ ■» i .i 

• 4 iM . , ... c 45 elliptic curve is in the order of an exponent of a bit length 

unit 103 in accordance with the elliptic curve encryption of c *l , . . , • , ™. * • i 

• ■ ,«, nf ; rtrt of the order r of the base point. Therefore, if r is a large 

this invention. . _ isg . . r . n . . . e , 

A , . , . . . , • , _* pnme, e.g, r> 2 , it is practically impossible to obtain d 

A deciphering unit 104 receives the enciphered text 114 from Q and G ^ {s a ind k of an dH ic CUfve 

and pnvate key 117 and outputs a plain text 115 which is the encryption 

same as the original plain text 103 Similar to the encipher- 5Q ^ enci heri unit 103 coaverts the plain text 113 into 

mg unit 103, the deciphering unit 104 may be formed on an ^ enci hered text b the fol i owing sequence, 

electronic apparatus other than a computer if the electronic i nDU t* 

apparatus has an arithmetic unit capable of operating the plain ^ M bHc k Q definition field order 

deciphering unit 104 in accordance with the elliptic curve parameters a and b of the elliptic curve y 2. x 3 +ax+bf and 

encryption of this invention. 55 fease poin( G 

The prime p is generated by a prime generating unit 105 Output: 

of the elliptic curve generating unit 101 by the following Enciphered Text C 

sequence. g te p ^. ^ random numDer k is generated (random number 

1: A random number p is generated to follow the next step. generating unit 108) 

2: The prime of p is judged by the Miller-Rabin primality 60 s 2 . ( )=kG (effi fc mrw calculatin ^ 109) 

test. If the random number is judged as the prime, the _ _ , \ , ^ , „. . . , . • 

sequence is terminated, whereas if it is judged as a Ste P 3: ^ 1^ ( elh P tlc ™™ calculating unit 109). 

composite number, the sequence returns to step 1. Step 4: M'-M XOR x 2 (data enciphering unit 110). 

The invention may be practiced by using another primal- Step 5: Enciphered text C=xJ lyj |M r Y x (data encipher- 

ity test. 65 ing unit 110). 

An elliptic curve parameter setting unit 106 sets the The elliptic curve calculating unit 109 executes a scalar 

parameters a and b of an elliptic curve y^xVax+b which multiplication operation kR of an arbitrary point R. 
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In this operation, an addition operation is executed by 
[X 3> Y 3> ZJ-[X„ Yj, Z,, (Zj, (ZJ'MXj, Y 2 , Z,] and a 
doubling point calculation is executed by a conventional 
[X 3 , Y 3 , Z3>2[X a> Y lf ZJ. This method will be described 
with reference to the flow chart of FIG. 2, Steps 2 and 3 are 
executed as illustrated in the flow chart of FIG. 2. 
Input: 

k, R-IX.Yj.Z,] 
Output: 
kR 

At Step 201, the operation starts. 
At Step 202, k and R«[Xj, Y 3 , Z 3 ] are input. 
At Step 203, k is expressed by binary notation as H m , . . 
- » H 0 . 

At Step 204, it is set that [X*, Y k , ZJ*-[X ls Y a , ZJ and 
j*-m, and (Z 2 ) 2 and (Z 2 ) 3 are calculated. 

At Step 205, it is set that — j— 1- 

At Step 206, it is checked whether j=0, in order to repeat 
Steps 206 to 208 from m to 1 of the variable j in the 
descending order. If j=0, the flow skips to Step 210, 
whereas if not the flow advances to Step 207. 

At Step 207, it is set that [X*, Y*, ZJ^2[X fr , Y*, ZJ. 

At Step 208, it is judged whether H-0. If 0, the flow 
advances to Step 209, whereas if 1, the flow returns to 
Step 205. 

At Step 209, it is set that [X*, Y„ ZJ— [X*. Y*, ZJ+pCi. 
Y„ Z„ (Z 2 ) 2 , (Z,) 3 ]. 

At Step 210, Ei is output. 

At Step 211, the operation is terminated. 

The deciphering unit 104 converts the enciphered text 114 
into the original plain text 115 same as the plain text 113 by 
the following sequence. 
Input: 

Enciphered text C=xJ |y a | |M' Y a , private key d, definition 
field order p, parameters a and b of the elliptic curve 
y 2 =x 3 +ax+b, and base point G 
Output: 

Plain text M 

Step 1: (x 2 , y 2 )«k(x 1 , y a ) (elliptic curve calculating unit 
111). 

Step 2: Plain text M=M' XOR x 2 
Step 1 is executed as illustrated in the flow chart of FIG. 
2. 

Next, a second embodiment will be described. In the 
second embodiment, the prime generating unit 105 shown in 
FIG. 1 generates a specific prime to allow a high speed 
operation. By using a prime having the form of p=Ab"+B 
(0<A<2 >V ; 0<B<2 VV ; b=2 w ; and w, b, n and B are positive 
integers), the multi-precision modulo operation can be per- 
formed at high speed. The first and second embodiments 
may be practiced independently or a combination thereof 
may be practiced at higher speed. 

By using the definition field order (prime) having the form 
of p=Ab w +B, the Montgomery multiplication modulo opera- 
tion used by the multi-precision integer multiplication 
modulo operation can be performed at high speed. This 
method will be described with reference to the flow chart 
shown in FIG. 3. 

At Step 301, the operation starts. 

At step 302, b and n are input. 

At Step 303, a random number p=Ab"+B is generated. 
At Step 304, the prime of p is judged. In this example, the 
Miller-Rabin primality test is used. If it is judged that 



30 



p is a prime, the flow advances to Step 305, whereas if 
it is judged that p is a composite number, the flow 
returns to Step 303. 
At Step 305, p is output. 
5 At Step 306, the operation is terminated. 

Since the prime having the above-described form is used, 
in the Montgomery modulo operation described with the 
conventional techniques, a multiplication of p in Step 2.2: 
A«-A+U;pb' can be performed at high speed. 
10 In a conventional operation, a multiplication is performed 
for all p ; and u t -. With the prime of this embodiment, a 
multiplication is performed only for the highest p„«A and 
the lowest p 0 =B. With the prime of this embodiment, p ( 
excepting the highest and lowest is 0. For example, as shown 
15 in FIG. 5, if w-32, and n«5, the bits 502, 503, and 504 
excepting the highest 32 bits 501 and lowest 32 bits 505 are 
0 so that a multiplication work between 0 and u,- can be 
omitted. 

Next, a third embodiment will be described. In the third 
20 embodiment, the prime generating unit 105 shown in FIG. 1 
generates a prime having a form of p=Ab"+l to allow a high 
speed operation. This prime is a specific example of the 
prime described with FIG. 3. As compared to the prime 
described with FIG. 3, since a multiplication of the lowest p 0 
25 is lxp 0 and is not necessary, a multiplication is performed 
only for the highest p M . For example, as shown in FIG. 6, if 
w=32 and n»5, a multiplication is performed only for the 
highest 32 bits 601. The bits 602, 603, and 604 are 0 so that 
a multiplication work between 0 and u,- can be omitted. Since 
the lowest 605 is 1, the multiplication by u, can be omitted. 
This method will be described with reference to the flow 
chart shown in FIG. 4. 

At Step 401, the operation starts. 
35 At Step 402, b and n are input. 

At Step 403, a random number p=Ab M +l is generated. 
At Step 404, the prime of p is judged. In this example, the 
Miller-Rabin primality test is used. If it is judged that 
p is a prime, the flow advances to Step 405, whereas if 
40 it is judged that p is a composite number, the flow 
returns to Step 403. 
At Step 405, p is output. 
At Step 406, the operation is terminated. 
Next, a fourth embodiment will be described. In the fourth 
embodiment, a higher speed operation is realized by the 
elliptic curve calculating unit 109 shown in FIG. 1. In the 
fourth embodiment, the sliding-window method is used for 
an s-multiple point operation of a point P, an addition 
operation is executed by [X 3 , Y 3 , Z 3 ]«[X 1 , Y lt Z lf (Zj) 2 , 
50 (^j) 3 ]+[X 2 , Y 2 , Z2], and a doubling point calculation is 
executed by a conventional [X 3) Y 3 , Z-J-^pCj, Y a , ZJ. 

An algorithm described in the document of A. Menezes, 
P, Oorschot, S. Vanstone, "Handbook of Applied 
Cryptography", CRC Press, p. 616 (1996), Section 14.6.1 
55 (ii) "Sliding-window exponentiation" will be described. 

Sliding-window Exponentiation 

Input: 

g, e~(e„ e,_ 3 , . . . , e lf e 0 )e,=l, k (integer) 
60 Output: 

g' 

Preliminary Calculations: 

gi-1: g 2 ^g 2 i g2i + i-ga-i*g2 from 1 t0 (2* _1 -i) of i 
65 Step 1: A«-l; i«-t 

Step 2: the following Steps are executed if i>=0 
Step 21: if e ( =0, A<-A 2 and i«-i-l 
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Step 22: if not, the longest bit string e„ e,_j, . . . e 3 where 
i-l+l<=k and ej-1 is searched, and it is set that 
A«-A 2 *g(e„ e,.!, . . . , ej and i— 1— 1. 
This algorithm is utilized for an algorithm of obtaining eP 
by using the addition operation of the invention. The algo- 
rithm of obtaining eP will be described. 

Calculation of an e-multiple Point of a Point P 
using Sliding-window Method 

Input: 

g. e=(e„ e f _j, . . . , e J( e 0 )e,=l, k (integer) 
Output: 
eP 

Preliminary Calculations: 

Pl*-P; P2^2P; P 2i+1 «-P 2/ _ 1 +P a from 1 to (2* _1 -1) of i is 
Step 1: A<-P; i«-t 

Step 2: the following Steps are executed if i>-0 
Step 21: if e =0, A«-2A; 

Step 22: if not, the longest bit string e„ e,_ J( . . . e a where 
i-l+l<=k and ej-1 is searched, and it is set that 
A«-2A+P(e„ e,_j, . . . , ej and i— 1-1. 

In the preliminary calculations of this algorithm, each 
P^- +1 is expressed by [Xj, Y a , Z lt (ZJ 2 , (ZJ 3 ]. The calcu- 
lation of A*-2Aat Steps 21 and 22 is performed by [X 3 , Y 3 , 
Z 3 ]»2[X 1 , Yj, ZJ. An addition calculation in 2A+P(e„ 
e,_ 3 , . . . , ej at Step 22 is performed by [X 3 , Y 3 , ZJ«[X 2 , 
Y^ZJ+^Y^Z^ZJ 2 ,^) 3 ]. 

The above embodiments are practiced by software which 
executes the operations illustrated in FIGS. 3 to 5. 
Obviously, the embodiments can be practiced by using 
electronic circuits. 

With each embodiment of the invention, data enciphering 
and deciphering processes using the elliptic curve encryp- 
tion can be executed faster than conventional processes. 
Also with each embodiment of the invention, it is obvious 
that a person skilled in the art can execute a digital signature 
generation process and a digital signature verification pro- 
cess at high speed by using the elliptic curve encryption. 

As described in each embodiment of the invention, by 
using a high speed [X t , Y lt Z u (ZJ 2 , (ZJ 3 ] for the addition 
arithmetic and a high speed [X lf Y A , ZJ for the doubling in 
the elliptic curve encryption, the following advantages can 
be obtained. 

(1) Addition arithmetic: By using [X 3 , Y 3 , ZJHX, Y 1( 
Z„ (ZJ 2 , (ZJ 3 ]+[X 2 , Y 2 , ZJ, the addition calculation 
can be executed by performing a multi-precision inte- 
ger multiplication modulo operation 14 times. 

(2) In the scalar multiplication operation of an arbitrary 
point, a so-called window method is used to express a 
segment as [X l7 Y a , Z lt (ZJ 2 , (ZJ 3 ] so that the 
above-described 14 operations can be used for the 
addition calculation. 

(3) The doubling calculation can be performed by the 
operations of 10 times (by 8 times if a«-3) by execut- 
ing a conventional [X 3 , Y 3 , ZJ=2[X 1 , Y a , ZJ. 

According to the present invention, data enciphering and 
deciphering processes using the elliptic curve encryption can 
be executed faster than conventional processes, and a digital 
signature generation process and a digital signature verifi- 
cation process can be executed at high speed. 

What is claimed is: 

1. An elliptic curve encryption method using an elliptic 
curve over a prime field, comprising the steps of: 

expressing different points on the elliptic curve in a 

homogeneous coordinate system [x, y, z] using [x 3 , y 3 , 

zj and [x„ y a , z,, (zj 2 , (zj 3 ]; 
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adding said points using [x 3 , y 3 , z 3 ]=fxj, y lf z u (zj 2 , 
(zj 3 ]+{x 2 , y 2 , zj; 

doubling said points using [x 3 , y 3 , z 3 ]=2[x 1 , y 19 zj; 

performing scalar multiplication using said point addition 
and said point doubling; and 

performing encryption or decryption using the perfor- 
mance result of said scalar multiplication. 

2. An elliptic curve encryption method using an elliptic 
curve over a prime field, comprising the steps of: 

defining a prime p as an order of a prime field, which has 
a form of p=Ab"+B where 0<A<2 W , 0<B<2 W 9 b=2 vv , w, 
A, B, b are positive integers; and 

performing encryption or decryption using the defined 
prime p. 

3. An elliptic curve encryption method using an elliptic 
curve over a prime field, comprising the steps of: 

defining a prime p as an order of a prime field, which has 
a form of p=Ab"+B where 0<A<2 H ', 0<B<2 W , b=2~, w, 
A, B, b are positive integers; 

performing a finite field arithmetic using said p; 

performing scalar multiplication using said finite field 
arithmetic; and 

performing encryption or decryption using the perfor- 
mance result of said scalar multiplication. 

4. An encryption system for executing an elliptic curve 
encryption method using an elliptic curve over a prime field, 
comprising: 

means for expressing different points on the elliptic curve 
in a homogeneous coordinate system [X, Y, Z], which 
using [X 3 , Y 3 , ZJ and [X,, Y a , Z Jf (ZJ 2 , (ZJ 3 ]; 

means for adding said different points using [X 3 , Y 3 , 
Z 3 HXj, Y 1( Z„ (Z,) 2 , (Z^MX,, Y 2 , Zj]; and 

means for doubling said different points using [X 3 , Y 3 , 
Z 3 ]-2[X 1 ,Y 1> Z 1 ]. 

5. An encryption system as claimed in claim 4, further 
comprising: 

means for performing a scalar multiplication using the 
point addition and the point doubling; and 

means for performing encryption or decryption using a 
performance result of said scalar multiplication. 

6. An encryption system for executing an elliptic curve 
encryption method using an elliptic curve over a prime field, 
wherein: 

means for defining a prime p as an order of a prime field, 
which has a form of p»Ab M +B where 0<A<2 W , 
0<B<2 H ', b»2 lv , and w, A, B and b are positive integers; 
and 

means for performing encryption or decryption using said 
prime p defined by said prime defining means. 

7. An encryption system for executing an elliptic curve 
encryption method using an elliptic curve over a prime field, 
comprising: 

means for defining a prime p as an order of a prime field, 
which has a form of p=Ab"+B where 0<A<2 VV , 
0<B<2 W , b»2 w , and w, A, B and b are positive integers; 

means for performing a finite field arithmetic using said 
prime p; 

means for performing a scalar multiplication using said 

finite field arithmetic; and 
means for performing encryption or decryption using the 

performance result of said scalar multiplication. 

8. An elliptic curve encryption method of receiving ellip- 
tic curve information to generate a public key and encipher- 
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ing a plain text in accordance with the elliptic curve infor- 
mation and the public key, comprising the steps of: 

providing different points on the elliptic curve in a homo- 
geneous coordinate system [X, Y, Z] which arc 
expressed by [X 3 , Y 3 , ZJ and [X Jf Y lf Z lf (Z J 2 , (ZJ 3 ]; 
using [X 3 , Y 3 , Z 3 ]=[X 1 , Y Jf Z lf (ZJ 2 , (ZJ'MX,. Y 2 , ZJ 

in a point addition process; and 
using [X 3 , Y 3 , Z3]=2[X a , Y 19 ZJ in a point doubling 
process. 

9. An elliptic curve encryption method as claimed in claim 
8, further comprising: 

performing a scalar multiplication using results of the 
point addition process and the point doubling process; 
and 

performing encryption or decryption using a performance 
result of said scalar multiplication. 

10. An elliptic curve encryption method of receiving 
elliptic curve information to generate a private key and 
deciphering an enciphered text in accordance with the 
elliptic curve information and the private key, comprising 
the steps of: 

providing different points on the elliptic curve in a homo- 
geneous coordinate system [X, Y, Z] which are 
expressed by [X 3 , Y 3 , Z 3 ] and [X„ Y 1( Z lt (ZJ 2 , (Z J 3 ]; 

using[X 3 , Y 3 , Z 3 >[X 1 , Y 1? Z,, (ZJ 2 , (ZJ 3 ]+[X 2 , Y 2 , ZJ 
in a point addition process; and 

using [X 3 , Y 3 , Z 3 ]=2[X 1 , Y 3 , ZJ in a point doubling 
process. 

11. An elliptic curve encryption method as claimed in 
claim 10, further comprising: 

performing a scalar multiplication using results of the 
point addition process and the point doubling process; 
and 

performing encryption or decryption using a performance 
result of said scalar multiplication, 

12. A computer-readable storage device for storing a 
program for implementing a method for an elliptic curve 
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encryption method using an elliptic curve in a prime field, 
comprising the steps of: 

providing different points on the elliptic curve in a homo- 
geneous coordinate system [X, Y, Z] which are 
5 expressed by [X 3 , Y 3 , ZJ and [X 3 , Y 1( Z v (ZJ 2 , (ZJ 3 ]; 
using [X 3 , Y 3 , ZjHXi. Y Jf Z lt (ZJ 2 , (ZJ 3 ]+[X 2 , Y 2 , ZJ 

in a point addition process; and 
using [X 3 , Y 3 , Z 3 ]=2[X 1( Y 3 , ZJ in a point doubling 
process. 

30 13. A computer-readable storage device as claimed in 
claim 12, further comprising: 

performing a scalar multiplication using results of the 
point addition process and the point doubling process; 
and 

15 

performing encryption or decryption using a performance 
result of said scalar multiplication. 

14. A computer-readable storage device for storing a 
program for implementing an elliptic curve encryption 

2Q method of receiving elliptic curve information to generate a 
private key and deciphering an enciphered text in accor- 
dance with the elliptic curve information and the private key, 
comprising the steps of: 

providing different points on the elliptic curve in a homo- 
„ geneous coordinate system [X, Y, Z] which are 
expressed by [X 3 , Y 3 , ZJ and [X l9 Y l9 Z lt (ZJ 2 , (ZJ 3 ]; 
using [X 3 , Y 3 , ZJHX, Y lf Z,, (ZJ 2 , (ZJ 3 ] + [X 2 , Y 2 , ZJ 

in a point addition process; and 
using [X 3 , Y 3 , ZJ-2tX 1( Y u ZJ in a point doubling 
30 process. 

15. A computer-readable storage device as claimed in 
claim 14, further comprising: 

performing a scalar multiplication using results of the 
point addition process and the point doubling process; 
35 and 

performing encryption or decryption using a performance 
result of said scalar multiplication. 

* * * * * 
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